Slashdot Mirror
Flaw Finders Lay Seige to Microsoft Office
An anonymous reader writes "The Register is reporting that bug reports on the latest iteration of Microsoft Office are certainly keeping the Redmond firm's programmers busy. So far this year 24 flaws have been found by outside researchers, more than six times the number found in all of 2005. From the article: 'The deluge of vulnerabilities for the Office programs - Word, Excel, PowerPoint, Outlook, and, for professional users, Access -signals a shift in the focus of vulnerability research and underscores the impact of flaw-finding tools known as fuzzers. The vulnerabilities in Office also highlight the threat that such files, if remained unchecked, can pose to a corporate network. Not since the days of macro viruses and Melissa have Office files posed such a danger to computer security.'"
I wish someone would do this much work for OpenOffice - I mean, think of how many $ of pen testing Microsoft is getting out of this deal, and all for free! Now they just need to put some deecnt programmers on it to clean up bugs and they will end up with a nice solid, secure codebase.
Think of the Children; Sleep with your Sister
Guys, guys. There's nothing wrong with Microsoft Office.
Access is used by lots of small businesses keeping database logs of their customers and such...while it's not the greatest, it fills the void for a much larger customer base than you might think. In regards to the topic in general, it seems reasonable that as software grows more intricate and feature-filled as versions progress that more and more bugs will arise due to the mountains of new code added on. Maybe it's just me but 24 bugs in all of Office, when it is not even available to the public for beta testing, seems acceptable.
Siege, not seige.
Clearly, Microsoft keeps track of internal bug reports through Access.
(I keed, I keed...)
Without a proper flamewar, Anonymous was undecided on what shell to run.
The count also surpasses the 20 flaws that Microsoft has fixed so far this year in Internet Explorer, a perennial favorite among vulnerability researchers.
This is in tune with the general movement of virus and trojan writers to make money for their work, that we have been seeing in recent years. Internet Explorer was a good way to reach as many people as possible, but such attacks are also quickly detected, since they affect many people. So you make some money (for porn ads, most likely), then stop. With Office, you can attack fewer targets, but get paid well for your efforts, and no-one ever hears about it.
This sort of corporate espionage can go on for years without any antivirus vendor even getting the chance to encounter the malware. In addition, virtually 100% of corporations use Office; it's easier to leave IE in favor of Firefox than Office for OpenOffice. So targetting Office makes a lot of sense.
The worst form of "more than" abuse is, of course, when people use it with flagrantly non-round numbers. "More than 274 parts", "More than 6831 batteries", etc.
The second worst form -- which this OP engages in -- is nonsensical math. If 24 faults is "more than six times" the number of faults in the previous year, then the number of faults in the previous year was 1, 2, or 3 (if there were 4 in the previous year, 24 would be exactly six times as many). Yeah, the previous year could have been zero, but 1) I know office better than that, and 2) let's give the OP at least a tiny bit of credit.
So, ok, we're up from between 1 and 3 to 24. "More than six times"? Well, if the previous year was 3, "more than seven times" would be more accurate. If the previous year were 2, "twelve times" would suffice. And, god help us, if there were only one in the previous year, "compared to only one last year" is probably better than "24 faults, which is 24 times more than last year."
Please, join me in the crusade against "more than" abuse. It does give extra punch to a sentence, but only if used properly.
-b
If I wanted a sig I would have filled in that stupid box.
I guess it sucks if your business requires some esoteric feature in Microsoft's expensive and proprietary office software, but it is outright incompetence for any CTO to not have migrated, in the process of migrating, or planning on migrating their workers to OpenOffice at this point.
Personally, I use OpenOffice, but from what I hear it's not that easy to use OpenOffice for many corporations. Some people I know are in the process of building a tech company, and they wanted to use OpenOffice, both because of the cost and because of the security. But some testing revealed that a single feature made that impossible for them: 'track changes' worked fine in OO, but opening a document from Office with change tracking never succeeded 100%. Apparently they plan to collaborate on documents with people outside their organization, so that's a problem. Sadly it looks like they will be buying Office licenses soon.
OpenOffice is great for a home user, but 'enterprise-oriented' features like tracking changes with people using Office are a must for some corporations. Until OpenOffice gets this sort of stuff to work, I can't completely agree with the quote above.
Although, given the security risk for Office users - which we can't even evaluate, as I'm assuming most corporate espionage is never discovered - it might be rational to find a way to live without some of the features in Office. Or, alternatively, to run Office on Crossover Office on Linux (assuming some of the trojan functionality, e.g. calling home, depends on ties with the underlying OS, which makes sense to me).
it is outright incompetence for any CTO to not have migrated, in the process of migrating, or planning on migrating their workers to OpenOffice at this point.
If you don't mind me asking: how many users (corporate desktops, not friends/family) have you migrated from MS Office to OpenOffice?
Talk is cheap. Until you've moved maybe 100 or more people professionally from one to the other, you really shouldn't drone on about "incompetence". Suffice it to say: people do NOT want to change, and will put up with amazing amounts of wasted time and inconvenience to avoid doing so. Most people think of computers as these "black boxes" with arcane syntax and usability.
I've had tech support calls that consisted of somebody dragging the menu around in IE so that the "back" button had moved! (which underscores perhaps the most worthless feature MS has ever put out - the movable menu. Who ever wants to change that?)
It's not incompetence - it's following the path of least resistance. That results in less friction, which results in happier staff which results in more productivity, which results in more profit, which means that the executives get richer, the lackeys don't get fired, and everybody is satisfactorially miserable.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Access is a very powerful program, if nothing else it allows you to easily create a frontend to a much more powerful database with very little fuss.
Access is huge in business because it is trivial to modify the user interface, and to add functionality later on. A massive database solution might do the job faster but if the IT staff can't go in and change the interface every now and then it is pointless. A prime example is upgrading the user interface from the one designed in 1998 for an 800x600 screen to a more recient 1024x768 interface.
Access actually has a number of uses in the business world, and even the enterprise.
Even in larger businesses, where a major enterprise database/system would NEVER be written in "access" its not uncommon for a little access app to be written as a custom front end to some aspect of an mssql server database. In fact that's one of access' strenths, its actually a pretty good RAD (rapid application development) tool for building simple UI front ends for larger databases. And since Access is bundled with Office Pro its basically "free" in this environment.
Just for clarification the article says that the flaws are being found in the latest production version of office, not the latest iteration (which would imply pre-betas of office 2007 (2008?, whatever)). Obviously it would be stupid to compare the flaws in a production product with those in a pre-beta, which is what the summary on /. seems to imply.
Philosophy.
If the business case for switching to OO were that clearcut, you think MS Office would still be around?
Yes. Absolutely. "Nobody ever got fired for recommending Microsoft Office."
I know several business where 90% of the users don't need much more than WordPad who are running MS Office Pro. They only use spreadsheets at all because the "table" layout makes doing certain types of form easier -- they have timesheets, expense sheets, etc that don't even use calculations. They don't use powerpoint or access or even outlook. (they on a corporate webmail)
They DO NOT need a several hundred licenses of MS Office.
But the IT director authorizes Office Pro on every new desktop. There is no business case for it. When I suggested they cut costs and standardise on OO on at least the machines that are being used by low level staff to fill out their time sheet and read office memos I just get a blank stare.
They've never heard of it, don't beleive that it could possibly meet their needs (which they've clearly never actually assessed), and they have ZERO intention of even looking into it. Worse they've been gradually growing, and new machines come with new office the old machines have "old office".. so they are supporting users with every version office since 95.
Its sad.
FWIW I *have* converted a couple companies to OO, and the most recent was done as part of a general upgrade. We pulled out boxes with Win98 and Office 98 and dropped in new XP Pro boxes with OO. We set the defaults to use office formats so there would be minimal transition issues. Most staff aren't even really aware they aren't using Microsoft Office anymore -- which is unfortunate really, because its not doing OO much good if people don't even know they are using it.
I've also recommended OO to a many Home users. For the most part they are happy with it, and it works well enough that they actually prefer the "legality" of it even if its not 100% what they are used to.
Why would they write this? 4x6 is 24, and every integer under 4 is a factor of 24. So they could have sadi "8 times as many", or "12 times as many". But why "More than 6 times"?
ok, just to clear a few things up:
1) they're talking about security vulnerabilities, not bugs. I'm sure the number of Office bugs are in the thousands... It's pretty difficult to write a large piece of software without them
2) The article was stating that 24 Vulnerabilities were found in the current crop of Office, not in the up and coming Office 2007, so your bit about "not available to public" is not applicable
being vague is almost as cool as doing that other thing...
Okay, 24 flaws were found. And yeah sure, it could be that it was actually "six times more than" (see the great post about "more than" abuse) found in all of 2005. It could just mean that they've been looking harder this year, not because flaws didn't exist before. The longer the program has been in development, the longer they have had to expose flaws. Plus, we really don't know anything about these "flaws". The article is very vague. We don't know the nature of the flaws, how difficult they will be to fix, or even how likely any hacker would be able to even use the flaw to do any serious damage.
And on the topic of flawed interpretation, I really must protest the comparison of an entire suite of at least 4 applications to ONE (internet explorer). That's worse than meaningless - that's just plain stupid.
You know how the saying goes about statistics - "The average human being has one breast and one testicle."
"The only normal people are the ones you don't know very well."
Bollocks! They've always posed a danger, it's just that now they're getting some attention. I wonder if they'll look at TrueType/OpenType fonts any time soon - anyone remember the BSOD .ttf file?
Our (very small) business recently migrated *away* from Open Office. New staff were confused, couldn't do things the way they were used to. They arrive already knowing how to use word, excel, powerpoint (ugh! but its sometimes necessary) but give them OpenOffice and there is a substantial learning curve. Remember, what slashdot uber-geeks can learn in 5 seconds takes the average person 10 weeks. Since changing to office our productivity on certain tasks such as collaboratively authoring documents has increased substantially. We just send the latest version and they send it back with the edits marked in track changes. Yes, all can be done using openoffice - but not when the customer or client doesn't have open office. Openoffice has to be really, really easy for someone to use who is familiar with office (its getting closer, but a long way to go). And its ability to save to and read from office formats needs to be a lot better than it currently is.
In theory, there's no difference between theory and practice; in practice there is.
I believe by "professional user" our anonymous friend means "person who for some reason purchased the Professional Edition of Microsoft Office, possibly because it sounded cooler". I use it for phone numbers!
A few dozen - companies are small around here, so 'hundreds' would mean changing jobs a lot.
This is nonsense. In my experience, almost every user has no interest in the matter at all. They don't "want to change" but neither do they "not want to change". In fact, they don't want to be bothered by the decision. I could install MS Office; they wouldn't understand how to use it. I can install OpenOffice; they don't understand how to use that either, but it costs less and reduces worm damage. Either way, I'm going to get the same number of calls from people who can't figure out how to change the font size.
It's not that they're willing to put up with amazing amounts of wasted time and inconvinience to avoid switching - it's that they're willing to put up with wasted time and inconvinience, period. That has got nothing to do with their choice of software; they assume that all software is going to waste their time and inconvinience them, and consider it to be what they are paid for.
There are occasionally a small number of 'power users', who like to play with all the toys in a piece of software. These are the ones who loudly and strongly object to (any) changes. I simply forward all their complaints to the company directors, along with a quote for a copy of MS Office to install on that user's workstation; the directors can then decide whether this person is worth spending the extra money on. Interop between different versions of Office with different paper sizes is a joke anyway (because the users do not understand how to make it work), so they don't notice any extra problems caused by converting back and forth between MS and OpenOffice formats. The users understand that if they want a document to look the same way to the person receiving it, they should either (a) print it, or (b) send it as a PDF (because that's what I tell them every time they have trouble with this).
The reason for all this is simple: word processing and other 'office' applications are largely comprised of things that are not 'business-critical'. This means that so long as you can get a tidy-looking document onto a piece of paper, the rest is not significantly going to affect the business. The efficiency of this process does not have any visible effect on the bottom line (regardless of whether it has any actual effect) - because producing documents is 'overheads', not a part of the 'productive' side of the business (for most businesses). If you were in a business where the documents were your actual product, then it might matter, but you probably aren't (I'm not). Once I sketch these things out for the company directors, they invariably say "do it the way that doesn't involve spending £300 per workstation". They don't care about anything else, and consider the requests for expensive copies of Office in the same manner that they consider requests for expensive leather office chairs. While it is somewhat perverse to think of Office as a luxury, I don't have a problem with this because it means I have less copies of the thing to support.
My goodness, where did you get that idea? Nobody seriously cares about the happiness of employees doing office work, because they are interchangeable and frequently changed. It comes back to that "not business-critical" thing again. You want the employees producing your
Absolutely. As soon as OO implements a large enough subset of Office features, I'll be all over that.
Until then, as long as there's a need to embed documents, to use a powerful macro language that communicates with the OS and other software, to have data update in real time, to interop with business logic that depends on DDE or XLLs, or to do any of the million other essential things that Excel (in particular) does and OO does not, it's "Hello, Clippy!"
Actually, though, I do have some questions for those who might take a more optimistic view than me:
1 -- maths formulae created in OO don't seem to work in Word. Is that OO's fault or Word's?
2 -- Bloomberg's DDE system seems not to work with OO (not that it's particularly efficient in Excel either). Is that OO's fault or Bloomberg's?
Whence? Hence. Whither? Thither.
Ah. What a wonderfully simple world. If only end users would listen to us IT geeks who know what they actually need, and if only every IT geek agreed on what that need actually was... Do you really believe there is no business case to be made for pre-installing a common suite of desktop apps, of which most of the workforce has experience, and which is known to serve the needs of power users? And do you think issuing edicts ex cathedra on what your user base really needs, without careful evaluation, is the best way to serve their long term interests?
Congrats on having run across so many low-tech businesses where WordPad suffices for 90 % of users. However, I'd suggest you avoid hitching your wagon to them: the ratio and level of knowledge workers in most Western industries can only increase, and for them WordPad and its ilk quickly becomes a straitjacket. OO is a better option, but there are several forces which makes switching an expensive proposition. There's considerably more to a computer as a professional tool than producing paper output. As a corporate customer, I'm reasonably impressed by MS' product targeting: they (as does e.g. IBM) push features which enable collaboration, where OO is years behind. (Of course, other features, such as 'smart tags', are still solutions in search of a problem... but it's a cool API!)
I can't help but wonder what levels of annoyance and missed opportunities are hidden behind those who do not belong to the 'most are happy' category you mention. You don't need to kill all the yeast to get bread that does not rise... and those few percent who are not happy may well be those who could have made a real creative difference.
No, MS Office isn't the greatest set of products ever created. Yes, OO has many great features, and may well suffice for the needs of many. That still does not a business case make, no matter how many anectdotal war stories we recite, without hard numbers. If there really were such huge savings to be made across the board, there should be locust swarms of consultants helping companies make a tidal wave of conversion across the industry. Instead, we hear mixed reports, with some pointing to at least initial successes, but others migrating back into MS' fold. You may claim that is due to inbred stupidity, but that wouldn't tend to convince most people... Thus, CTO's tend to place higher priority on efforts which actually are likely save or make some money for their companies, oddly enough.
First, major citation programs that are critical to published scholarship, such as End Note, will not integrate with OpenOffice.
And? When I did my MSc we did use MS Office (before the days of OOo) but we did all our citations by hand. It didn't make things much slower as long as you were organised. And if you're not organised enough to keep track of your citations, what the hell are you doing in academia anyway, and what the hell is your thesis going to read like?
Bob
Listen to my latest album here
I don't want to switch because OO messes up the formatting of many of my existing Word documents. That's my only reason for not wanting to switch.
I'm sure this problem will go away sooner or later but until then it's just so much easier to use Word instead of Writer.
ActiveSync doesn't require Outlook.
You can sync your device directly to the Exchange server, effectively skipping the need for the installation of any software on the desktop machine.
You can also use ActiveSync across an GPRS link, and get BlackBerry like functionality (including E-Mail Push).
It seems amazing to me that there are so many very critical flaws in Microsoft products. If someone else can find the flaws, why didn't Microsoft?
I've heard that Microsoft is managed in such a way that programmers don't have time to finish their work. I know that Microsoft makes more money if there are more flaws, because users can be expected to upgrade.
However, it seems that there are too many bugs for that to be the whole explanation.
So, why, year after year, has Microsoft been at the top of the vulnerabilities list? I don't accept the argument that "software is complex, and always has bugs. There are people who know how to write complex software that is secure. Microsoft could certainly hire such people. If the company wanted to have software that was relatively free of vulnerabilities, it could.
The argument that Microsoft vulnerabilities get more attention doesn't seem adequate to me to explain the huge number of very severe bugs.
But, what is the explanation?
May I point you to the OpenBSD bug tracker, in which you may notice a bug has been open (Not even analyzed) since 1997. MSFT isn't the only one who doesn't fix bugs quickly, 9 years is a bit excessive.
How many people can read hex if only you and dead people can read hex?
Word Perfect has been doing footnotes, endnotes, citations etc. very well since version 6 for DOS. Very well. As far as citations go, I created a file with alphabetized, formatted references cited 15 years ago & just add new stuff to it. It is currently in the vicinity of 100 pages long.
.ppt file. No real problems other than my owm unfamiliarity with such routines. I really prefer a slide projector... and careful preparation over glitz.
As far as PowerPoint goes, I put together my last presentation in the OO clone & exported it as a
If you want your life to be different, live it differently.
You should have posted the bug #. I'm willing to bet that the 9 year bug is neither severe or security related.
I've had tech support calls that consisted of somebody dragging the menu around in IE so that the "back" button had moved! (which underscores perhaps the most worthless feature MS has ever put out - the movable menu. Who ever wants to change that?)
Well, you're getting Office help calls, so I'll assume you are not a developer.
You would be amazed at the 'requirements' that a lot of users have, and the features that they MUST use. I write software for a primarily academic crowd. Each person (PhD) just needs to have the system work they way they want it to work. Because as you said, to them it is just a black box. If things don't look right, they can't figure it out.
After sitting in meetings where 4 people have 4 opinions on where a menu should be, eventually the only answer is to make the location an option, make it moveable.
This shit happens all the time.
No reason to lie.
It is somehow considered "unfair" to use to these tools? Does MS already know of the flaws found by these tools and just chosen not to fix them? Do the OO.org people run these tools agsinst the OO.org suite.
From a practicle point of view, these tools just seem like regression test. Test that we all know we should run, but few take the time to so do. And as solftware developers not running regression tests really puts the responsibility of the falws in the developers lap, not QA or the user.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
ActiveSync is he absolute worst synchronization software on the planet.
It took me a long time to get it to work on my fathers machine, and after spending a considerable amount of time doing research on the problem it spontaneously started working correctly.
No, I am not kidding. I have never seen a functional piece of software that was as capable of acting flakey and in-determinant as ActiveSync.
And someday someone is going to have to explain to me what ever happened to plug-and-play under windows. If you accidentally plug a usb device in that was never plugged in before and doesn't have drivers installed you spend the next 15 minutes cleaning it up so you can install drivers.
Your experiences make you a lucky fellow. I do 3rd-party corporate IT, so unlike you I _do_ have hundreds of users without changing jobs.
- to-be-working-right and they throw up their hands in the air saying "oh, Firefox...? We don't support that." One reluctant business-owner who can barely turn his computer on who wants to know why everyone else gets something different.
While some of my customers are exactly the casual users that you describe, who don't really "need" Office, there's more at stake than you're really seeing. First, users and businesses evolve. Sally the Secretary might not actually need Word right now, but if she develops a need for Word at any point during the life-cycle of the computer she uses, there's going to be a problem. That problem: OEM software is cheaper than retail and only purchasable with hardware. Ooops. Okay, how about Volume Licensing? Sure, that's do-able, but there's a minimum number of licenses that have to be bought at once to qualify to open a VL account, which only lasts TWO YEARS. It's often -- not always -- a good idea to set up the PC with the functionality it's likely to aquire during its life cycle on day 0.
Next, all it takes is one feature not present in "the industry standard", a.k.a. MS Office, to throw into fairly severe scrutiny any advice to use an alternate product, free or not. Want to know how many tool-and-mold programs that render cutter-paths link to Excel? Excel. Not "something functionally equivalent to Excel." Want to know how many insurance industry programs that do either client-management or quote-generation link to Word or Outlook? Not "something functionally equivalent to Word or Outlook." It's common. Not universal, but common. And again, if you impliment something "nonstandard" day 0 and have to come back later to retrain and rework even a small department, it's easy for accounting departments (the guys who often link their software to Excel or Access) to wonder why things weren't just done "right" in the first place. You're the IT guy. You should've seen this coming.
The point that I'm trying to make here is that there's a reason why I have been unable to recommend Firefox (for instance) to even a single customer, despite being firmly addicted and a True Believer. One site that doesn't render "right" or even "the same" and my recommendation becomes suspect. One call to the support desk at whatever-business-partner-whose-site-doesn't-SEEM
It's hard. It's very hard in a LOT of cases to recommend anything other than MS' products. And that's the ugly truth.
"Oh no... he found the
>Number: 137
>Severity: critical
As quoted from the tracker.
How many people can read hex if only you and dead people can read hex?
Suggesting Office is pretty bad, but you do have some semi-legitimate reasons.
A bit of optimism is called for.
Suggesting IE is pure evil. You're needlessly putting critical data at risk.
And do you think issuing edicts ex cathedra on what your user base really needs, without careful evaluation, is the best way to serve their long term interests?
What makes you think there wasn't careful evaluation?
Congrats on having run across so many low-tech businesses where WordPad suffices for 90 % of users. However, I'd suggest you avoid hitching your wagon to them: the ratio and level of knowledge workers in most Western industries can only increase, and for them WordPad and its ilk quickly becomes a straitjacket.
I'm not talking "knowledge workers in cubicles collaborating on documents". Maybe they -do- need office. Maybe there is a business case for them having office. In MANY cases there is, I work with companies on MS-Office that I wouldn't recommend switch.
The 90% of workers I referred to worked for a company that was chain of retail stores. Those workers were retail sales people. They had into the hundreds of computers, 3+ per store, each with office so staff who spent 90% of their time in the POS application could do their timesheets once a week. Along with a handful of word templates for misc correspondance -- fax cover letter, PO for office supplies, etc.
I think you underestimate the number of people using Office like this. These aren't "knowledge workers" creating and colloborating on documents. These are people like travel agents, insurance salesmen, car salesmen, fast food restaurant managers, retail stores, mechanics, plumbers, etc, etc. They use office to write the odd letter, fill out forms/templates sent down from a head office, and so on. That's it.
As for being "wary of hitching my wagon to them", what's there to be wary of? You think the girl selling you pants is going to be outsourced to india? Or perhaps you think she'll be collaborating on a team document after she rings up your sale?
Couldn't agree more..
Companies aren't interested in open source, just because it's open source... it has to not only have all of the features of MS office, but it has to give them a reason to switch.. it has to save them money, or make them more productive.
Yes.. OO is free. so it would save them money WHEN THEY ARE LOOKING TO UPGRADE from what they already have.. but if they have Office and it's working, switching to a new office suite for no reason is only going to cost them money.
Help me take back Slashdot. When did 'News for Nerds' become 'FUD and Conspiracy Theories for Extremist Nutjobs'?